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DETAILED ACTION 



Restriction 

1 . On December 19, 2006, talked to attorney Lindsay G. McGuinness over the 
phone regarding restriction requirement on this application. Attorney elects Group I of 
the following two groups without traverse. Restriction to one of the following inventions 
is required under 35 U.S. C. 121: 



I. Claims 1 - 15 and 23 - 26, drawn to Virtual Private Network Protocol, 
classified in class 726, subclass 15. 

II. Claims 16-22 and 27 - 30, drawn to a packet authentication technique to 
determine whether the packet is a secure packet and restore the packet from a 
transformed packet between the private networks over a public network, 
classified in class 713, subclass 170. 

Inventions I and II are related as combination and subcombination disclosed as 
usable together in a single combination. The subcombination is distinct from the 
combination if it is shown to be separately usable. The following case instants: 

Invention I provides a packet encapsulation and transformation techniques 
regarding Virtual Private Network Protocol for secured packet data transfer. 
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Invention II provides a packet authentication technique to determine whether the 
packet is a secure packet and restore the packet from a transformed packet between 
the private networks over a public network. 

This Office Action only addresses the claimed inventions of Group I: Claims 1 - 
15 and 23-26. 

Priority 

1 . Applicant's claim for benefit of domestic priority under 35 U.S.C. 1 19(e) is 
acknowledged. 

The application is filed on 9/12/2003 but has a U.S. provisional application 
number 10/661,657 filed on 1/24/2003. 

Double Patenting 

The nonstatutory provisional double patenting rejection is based on a judicially 
created doctrine grounded in public policy (a policy reflected in the statute) so as to 
prevent the unjustified or improper timewise extension of the "right to exclude" granted 
by a patent and to prevent possible harassment by multiple assignees. See In re 
Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 
225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 
(CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); and In re 
Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969). 
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A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) may be 
used to overcome an actual or provisional rejection based on a nonstatutory double 
patenting ground provided the conflicting application or patent is shown to be commonly 
owned with this application. See 37 CFR 1.130(b). 

Effective January 1 , 1994, a registered attorney or agent of record may sign a 
terminal disclaimer. A terminal disclaimer signed by the assignee must fully comply with 
37 CFR 3.73(b). 

2. Claims 1 -4, 12 - 15 and 23 - 26 are rejected under the judicially created 
doctrine of obviousness-type provisional double patenting as being unpatentable over 
claims of copending application 10/661,903. Although the conflicting claims are not 
identical, they are not patentably distinct from each other because claims 1 - 4 and 1 1 
of the instant application are envisioned by the claims of the copending application that 
contain all the limitations of claims of the instant application and as such claiims of the 
instant application are not patently distinct from the earlier copending application claim 
and as such are unpatentable for obvious-type provisional double patenting. 

Claim Rejections - 35 USC § 102 

The following is a quotation of the appropriate paragraph of 35 U.S.C. 102 that 
forms the basis for the rejections under this section made in this Office action: 

A person shall be entitled to a patent unless - 

(e) the invention was described in (1) an application for patent, published under section 122(b), by another filed 
in the United States before the invention by the applicant for patent or (2) a patent granted on an application for 
patent by another filed in the United States before the invention by the applicant for patent, except that an 
international application filed under the treaty defined in section 351(a) shall have the effects for purposes of this 
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subsection of an application filed in the United States only if the international application designated the United 
States and was published under Article 2 1(2) of such treaty in the English language. 

3. Claims 1, 2, 4 - 6, 8, 9, 1 1 - 14, 23, 24 and 26 are rejected under 35 
U.s:c. 102(e) as being anticipated by Liu (U.S. Patent 2002/0154635) which 
incorporates the reference of Caronni et al. (U.S. Patent 6,970,941) as shown in (Liu: 
Para 100021) . 

As per claim 1 , Liu / Caronni teaches a method of securing packet data 
transferred between a first and second member of a private network over a backbone, 
the backbone operating according to a routing protocol (Caronni : Column 2 Line 14 - 
35 and Column 4 Line 38 - 52), the method comprising the steps of: 

receiving a packet (Caronni : Column 1 1 Line 37 - 61); 

apportioning the packet into a first portion and a second portion, wherein the first 
portion includes fields of the packet used for transmission of the packet according the 
protocol of the backbone (Caronni : Figure 2B & Column 12 Line 11 - 19: the first 
portion is the SRC/DST real address according the protocol of the backbone); 

transforming the second portion of the packet according to a group security 
association associated with the private network to provide a transformed portion 
(Caronni : Column 7 Line 5 - 33, Column 3 Line 17-21 and Column 1 1 Line 37 - 43: 
VARPDB stores the mappings of the internal / private address, known as node ID, 
which is considered as a part of the group security association and the Supernet 
contains a modification to the IP packet format that can be used to separate network 
behavior from addressing); 
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appending the first portion of the packet to the transformed portion to provide a 
transformed packet (Caronni : Figure 2B & Column 12 Line 11 - 19: the first portion is 
the SRC/DST real addresses according the protocol of the backbone is appended to the 
second portion of SRC/DST virtual addresses); and 

transmitting the transformed packet to the backbone using the private network 
address (Caronni : Column 3 Line 17 - 23). 

As per claim 12, Liu / Caronni teaches a method for securing a communication 
link between at least two members of a private network, the communication link for 
transporting a packet having first header and a payload , the first header identifying a 
source address and a destination address packet (Caronni : Column 2 Line 14 - 35 and 
Column 4 Line 38 - 52), the method including the steps of: 

distributing a security association to each of the at least two members of the 
private network (Caronni : Column 10 Line 24 - 29: distributing a part of the security 
association to each member when a new node joined); 

transforming each packet transferred between the at least two members of the 
private network (Caronni : Column 7 Line 5 - 33, Column 3 Line 17-21 and Column 1 1 
Line 37 - 43), the step of transforming including the steps of: 

generating a second header, the second header including a source address 
associated with the source address in the first header, and a destination address 
identifying the private network (Caronni : Column 7 Line 5 - 21: the second header is 
the SRC/DST virtual addresses); 
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replacing the first header of the packet with the generated second header to 
provide a modified packet (Caronni : Column 7 Line 5 - 33, Column 3 Line 17-21 and 
Column 11 Line 37-43); 

applying the security association to the modified packet to provide secure 
packet (Caronni : Column 7 Line 5 - 33, Column 3 Line 17 - 21 and Column 1 1 Line 37 
- 43: VARPDB stores the mappings of the internal / private address, known as node ID, 
which is considered as a part of the group security association); and 

appending the first header to the secure packet to provide a transformed 
packet; and forwarding the transformed packet over the communication link using the 
private network address (Caronni : Figure 2B & Column 12 Line 11 - 19: the first portion 
is the SRC/DST real addresses according the protocol of the backbone is appended to 
the second portion of SRC/DST virtual addresses). 

As per claim 23, Liu / Caronni teaches an apparatus at a node for transforming 
packets for forwarding between a plurality of members of a group communicating on a 
scalable private network over a backbone, wherein the backbone operates according to 
a protocol (Caronni : Column 2 Line 14-35 and Column 4 Line 38 - 52), the apparatus 
comprising: 

a key table, the key table including a security association for each group that the 
node is a member (Caronni : Column 7 Line 5 - 33 : VARPDB stores the mappings of 
the internal / private address, known as node ID, which is considered as a part of key 
table); 
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transform logic operable to apply a security association to only a portion of each 
packet transmitted over the private network associated with each group to ensure that a 
remaining portion of the packet enabling communication over the backbone according 
to the protocol is preserved (Caronni : Figure 2B & Column 12 Line 11-19, Column 7 
Line 5 - 33, Column 3 Line 17-21 and Column 1 1 Line 37 - 43: only Supernet virtual 
address contains a modification to the IP packet format that can be used to separate 
network behavior for forwarding communication between members of the group using 
an private network address associated with the group and the portion of SRC/DST real 
address according the protocol of the backbone is preserved); and 

forwarding logic for forwarding communication between members of the group 
using an private network address associated with the group (Caronni : Column 3 Line 
17-23). 

As per claim 2, 13 and 24, Liu / Caronni teaches the backbone comprises a 
plurality of provider devices (Liu: Page 2 Line 1 - 2), and and wherein the step of 
transforming is performed by one of the plurality of provider devices in the backbone 
(Liu: Para [0050] Line 3-7, Para [0065] Line 4-7, Para [0066] Line 1 - 4 / 8 - 10 and 
Caronni : Column 8 Line 31 -47: alternatively, the router node, by running SNIogin, can 
perform address translation and security encapsulation transparently the same way as 
the computer terminal device node does). 
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As per claim 4, 14 and 26, Liu / Caronni teaches the step of transforming is 
performed at the first member of the private network (Caronni : Column 2 Line 27 - 32: 
terminal computer device Di). 

As per claim 5, Liu / Caronni teaches transforming the second portion of the 
packet comprises the steps of: 

generating a group header associated with the private network (Caronni : 
Column 7 Line 10-14: Supernet ID = group ID); 

appending the group header to the second portion of the packet prior to the step 
of transforming the second portion of the packet to provide a modified packet (Caronni : 
Column 1 1 Line 37 - 61); and 

transforming the modified packet according to the group security association 
associated with the private network to provide the transformed packet (Caronni : 
Column 11 Line 37-43, Column 7 Line 5-33, and Column 3 Line 17-21: VARPDB 
stores the mappings of the internal / private address, known as node ID, which is 
considered as a part of the group security association). 

As per claim 6, Liu / Caronni teaches the first portion of the packet comprises a 
first header, the first header having a type, source and destination, and wherein the 
group header comprise a group type, group source and group destination, and wherein 
the step of generating a group header includes the step of copying the type of the first 
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header to the group type (Caronni : Column 3 Line 21 - 23 and Column 5 Line 20 - 23: 
a selected group address and group type can be used for any type of delivery scheme). 

As per claim 8, Liu / Caronni teaches the group security association is an 
Internet Protocol Security transform (Caronni : Column 9 Line 28: IPSec). 

As per claim 9, Liu / Caronni teaches the group security association is an 
Encapsulated Security Protocol. (Caronni : Column 9 Line 28: ESP protocol). 

As per claim 1 1 , Liu / Caronni teaches receiving, at each member of the 
private network, a key corresponding to the private network group security 
association (Caronni : Column 10 Line 26 - 29: KMS = Key Management Server). 

Claim Rejections - 35 USC § 103 

The following is a quotation of 35 U.S.C. 103(a) which forms the basis for all 
obviousness rejections set forth in this Office action: 

A person shall be entitled to a patent unless - 

(a) A patent may not be obtained though the invention is not identically disclosed or described as set forth in 
section 102 of this title, if the differences between the subject matter sought to be patented and the prior art are 
such that the subject matter as a whole would have been obvious at the time the invention was made to a person 
having ordinary skill in the art to which said subject matter pertains. Patentability shall not be negatived by the 
manner in which the invention was made. 
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4. Claims 3, 15 and 25 are rejected under 35 U.S.C. 103(a) as being unpatentable 
over Liu (U.S. Patent 2002/0154635), in view of Alkhatib et al. (U.S. Patent 
2003/0233454). . 

As per claim 3, 15 and 25, Liu does not disclose expressly an edge device is 
disposed between the first member of the private network and the backbone, and 
wherein the step of transforming is performed at the edge device. 

Alkhatib teaches an edge device is disposed between the first member of the 
private network and the backbone, and wherein the step of transforming is performed at 
the edge device (Alkhatib : Par [0049] Line 14-17 and Para [0017] Line 1 - 8: a 
gateway, that changes and encapsulates the destination address, can be considered as 
an edge device, which also appears in the specification of the instant application 
(SPEC: Page 3 Line 14: Customer Edge device may also be referred to as a 
gateway device). 

It would have been obvious to a person of ordinary skill in the art at the time the 
invention was made to combine the teaching of Alkhatib within the system of Liu 
because (a) Liu teaches a mechanism to extend private networks onto a public 
infrastructure (Liu: Para [0015] and [0018]) and (b) Alkhatib teaches providing a method 
to create a binding between public address and private address when communicating 
over a private network (Alkhatib : Para [0019]). 
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5. Claim 7 is rejected under 35 U.S.C. 103(a) as being unpatentable over Liu (U.S. 
Patent 2002/0154635). Liu (U.S. Patent 2002/0154635), which incorporates the 
reference of Caronni et al. (U.S. Patent 6,970,941) as shown in ( Liu: Para r00021 ). 

As per claim 7, Liu discloses the first header further includes a length, the group 
header further includes a group length, and wherein the method includes the steps of 
copying the length to the group length (Caronni : Column 7 Line 15 - 16 : Examiner 
notes any of the standard protocol format obviously conforms to standard T / L / V fields 
(Type, Length, and Value) as a complete layout of a protocol specification). 

6. Claim 1 0 is rejected under 35 U.S.C. 1 03(a) as being unpatentable over Liu (U.S. 
Patent 2002/0154635), in view of Boden et al. (U.S. Patent 6,330,562). 

As per claim 10, Liu does not disclose expressly the group security association is 
an Internet Key Encryption. 

Boden teaches the group security association is an Internet Key Encryption 
(Column 2 Line 4-5: IKE scheme). 

It would have been obvious to a person of ordinary skill in the art at the time the 
invention was made to combine the teaching of Boden within the system of Liu 
because (a) Liu teaches a mechanism to extend private networks onto a public 
infrastructure over a VPN (Virtual Private Network) (Liu: Para [0015] and [0018]) and (b) 
Boden teaches providing a data model for abstracting customer-defined VPN security 
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policy information to dynamically negotiate, create, delete, and maintain secure 
connections at the IP level with other VPN nodes (Boden : Abstract). 

Any inquiry concerning this communication or earlier communications from the 
examiner should be directed to Longbit Chai whose telephone number is 571-272-3788. 
The examiner can normally be reached on Monday-Friday 8:00am-4:00pm. 

If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, Ayaz R. Sheikh can be reached on 571-272-3795. The fax phone number 
for the organization where this application or proceeding is assigned is 571-273-8300. 
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Information regarding the status of an application may be obtained from the 
Patent Application Information Retrieval (PAIR) system. Status information for 
published applications may be obtained from either Private PAIR or Public PAIR. 
Status information for unpublished applications is available through Private PAIR only. 
For more information about the PAIR system, see http://pair-direct.usptO.gov. Should 
you have questions on access to the Private PAIR system, contact the Electronic 
Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a 
USPTO Customer Service Representative or access to the automated information 
system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. 
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